US11451518B2 - Communication device, server device, concealed communication system, methods for the same, and program - Google Patents

Communication device, server device, concealed communication system, methods for the same, and program Download PDF

Info

Publication number
US11451518B2
US11451518B2 US16/960,129 US201916960129A US11451518B2 US 11451518 B2 US11451518 B2 US 11451518B2 US 201916960129 A US201916960129 A US 201916960129A US 11451518 B2 US11451518 B2 US 11451518B2
Authority
US
United States
Prior art keywords
information
session key
key generation
communication
communication device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US16/960,129
Other versions
US20210126906A1 (en
Inventor
Tetsutaro Kobayashi
Yuto KAWAHARA
Hitoshi Fuji
Reo YOSHIDA
Kazuki YONEYAMA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Assigned to NIPPON TELEGRAPH AND TELEPHONE CORPORATION reassignment NIPPON TELEGRAPH AND TELEPHONE CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KAWAHARA, Yuto, KOBAYASHI, TETSUTARO, YOSHIDA, Reo, FUJI, HITOSHI, YONEYAMA, Kazuki
Publication of US20210126906A1 publication Critical patent/US20210126906A1/en
Application granted granted Critical
Publication of US11451518B2 publication Critical patent/US11451518B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Definitions

  • the present invention relates to a communication protocol that can conceal metadata (such as the source and destination of communication) in the area of information communication. More particularly, it relates to a server device as a component of a concealed communication network, communication devices that utilize the concealed communication network, a concealed communication system formed of the server device and communication devices, methods for the same, and a program.
  • Non-patent Literature 1 One of conventional techniques is an approach (mix-net) which ensures anonymity against a concealed communication network by encrypting messages multiple times using different public keys at communication devices and shuffling the messages while repeating decryption among multiple server devices inside the concealed communication network.
  • Non-patent Literature 1 Nirvan Tyagi, Yossi Gilad, Derek Leung, Matei Zaharia, and Nickolai Zel-dovich. “Stadium: A Distributed Metadata-Private Messaging System”, [online], SOSP 2017, [searched on Dec. 22, 2017], the Internet ⁇ URL: https://eprint.iacr.org/2016/943>
  • the mix-net-based approach has low throughput and is likely to cause delay because decrypting operations are repeated in the concealed communication network and the decrypting operations are proportional to the volume of concealed communication. It also has a disadvantage that the sender and recipient of communication are identifiable by monitoring entries to and exits from the concealed communication network.
  • An object of the present invention is to provide a concealed communication system, a server device, a communication device, and a concealed communication method in which decrypting operations in a concealed communication network are not proportional to the volume of concealed communication and which makes the sender and recipient of communication unidentifiable.
  • a communication device performs communication with other communication devices while keeping anonymity via a concealed communication network including a server device.
  • the communication device includes: a secret key generation unit that generates a secret key using in partial secret keys included in K partial secret keys generated by K key generation devices, respectively; a signature encryption unit in which given that N communication devices including the communication device itself utilize concealed communication provided by the concealed communication network and that n communication devices out of the N communication devices belong to a group, (1-1) if the communication device itself belongs to the group, the signature encryption unit encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption unit transmits a dummy message to the server device; a signature decryption unit in which (2-1) if the communication device itself belongs to the group, the signature decryption unit downloads, from the server device, encrypted n ⁇ 1 pieces of the input information and N ⁇ n number of
  • the present invention produces the effects of decrypting operations in a concealed communication network being not proportional to the volume of concealed communication, delay being less likely to occur, and the sender and recipient of communication being unidentifiable.
  • FIG. 1 is a functional block diagram of a concealed communication system according to a first embodiment.
  • FIG. 2 is a functional block diagram of a server device according to the first embodiment.
  • FIG. 3 is a functional block diagram of a key generation device according to the first embodiment.
  • FIG. 4 is a functional block diagram of a communication device according to the first embodiment.
  • FIG. 5 shows an example of the processing flow of a concealed communication system according to the first embodiment.
  • (BSC.Setup, BSC.Extract, Combine, BSC, BUSC): any-trust doubly-anonymous ID-based broadcast signcryption scheme (AT-DAIBSC scheme).
  • the AT-DAIBSC scheme includes the following five algorithms.
  • BSC.Setup is an algorithm that outputs a master secret key and a master public key when a security parameter ⁇ is input.
  • BSC.Extract is an algorithm that outputs a partial secret key corresponding to a user identifier when the master secret key and a user identifier are input. Note that a partial secret key is assumed to be securely transmitted to a user corresponding to the user identifier.
  • Combine is an algorithm that outputs a secret key when m partial secret keys are input.
  • BSC is an algorithm that takes in master public keys, a message, a secret key, and a set of recipient identifiers as input and outputs a cipher text.
  • BUSC is an algorithm that takes the in master public keys, the secret key, and the cipher text as input and outputs a message M or an error.
  • G a finite cyclic group of order p with generator g
  • TCR ⁇ 0, 1 ⁇ * ⁇ 0, 1 ⁇ ⁇ .
  • TCR hash function TCR means target-collision resistant
  • tPRF and tPRF′ are twisted PRFs
  • the server device discloses (p, G, g, TCR, tPRF, tPRF′, F) as system parameters.
  • the kth KGC k generates a master secret key BMSK k and a master public key BMPK k using BSC.Setup (1 ⁇ ) and discloses the master public key BMPK k .
  • KGC k means the kth key generation device, and there are K key generation devices on a communication network.
  • K is any integer greater than 0.
  • N users may also referred to as N communication devices
  • U 1 , . . . , U N in the present concealed communication system.
  • every KGC k executes BSC.Extract to generate a partial secret key bsk (k) , (bsk (k) i ⁇ BSC.Extract (BMSK k , ID i )).
  • bsk (k) bsk (k) i ⁇ BSC.Extract (BMSK k , ID i )
  • i 1, 2, . . . N holds.
  • the user U i Upon obtaining in partial secret keys bsk (k) i , the user U i concatenates these partial secret keys bsk (k) i using Combine and calculates a secret key bsk i (bsk i ⁇ Combine ( ⁇ bsk (k) i ⁇ k ⁇ [1,m] )).
  • bsk i ⁇ Combine ( ⁇ bsk (k) i ⁇ k ⁇ [1,m] )
  • in is any integer greater than 0 and K or less.
  • the in partial secret keys bsk (k) i need not necessarily be the first to the mth partial secret keys bsk (k) i , but may be in out of K partial secret keys bsk (k) i .
  • the user U p executes the following processing.
  • the total number of users belonging to the group to which the user U p belongs is represented as n (n ⁇ N) and the set of those users is represented as R.
  • the user U p generates a cipher text CT p with BSC (CT p ⁇ BSC (IBMPK k ⁇ k ⁇ k ⁇ [1,m] , ID p ⁇ M, bsk p , R′)), and transmits the cipher text CT p to the server device.
  • CT p ⁇ BSC IBMPK k ⁇ k ⁇ k ⁇ [1,m] , ID p ⁇ M, bsk p , R′
  • the user U r transmits a dummy message ⁇ to the server device.
  • a user U q who corresponds to ID q belonging to R′ downloads n ⁇ 1 cipher texts (CT 1 , . . . , CT q+1 , . . . , CT n ) and N ⁇ n dummy messages ⁇ from the server device.
  • the user U q decrypts the cipher text with BUSC ((ID p , M) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk q , CT p )). If the result of decrypting the cipher text is (ID p , M), the user U q regards M as the message transmitted from the user U p .
  • Broadcast executes the (Signature) process and (Downloading and verification) process described above at intervals of a predetermined time T 1 .
  • a user randomly executes the (Signature) process described above within a predetermined time T ( ⁇ T 1 ).
  • the user executes the (Downloading and verification) process.
  • a group of users U 1 , . . . , U n start a new session and share a session key.
  • “broadcasting M” means that M is transmitted to the all the users in the group through the following processing.
  • CT p is also called first information
  • k′ p is also called second information.
  • Any user U r who corresponds to ID r ⁇ (ID 1 , . . . , ID N ) ⁇ R (ID r included in the difference set between the set of all the IDs (ID 1 , . . . , ID N ) and a subset R of IDs) generates x r ⁇ R ⁇ 0, 1 ⁇ ⁇ , x ⁇ r ⁇ R salt ⁇ , k r ⁇ R ⁇ 0, 1 ⁇ ⁇ , and k ⁇ r ⁇ R salt ⁇ as ESK r and broadcasts ⁇ as a cipher text CT r .
  • is a dummy message selected from G ⁇ 0, 1 ⁇ ⁇ _ID .
  • the user U r may also obtain CT r ⁇ BSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , ID r ⁇ , bsk r , R′) and transmit the cipher text CT r to the server device.
  • CT r ⁇ BSC ⁇ BMPK k ⁇ k ⁇ [1,m] , ID r ⁇ , bsk r , R′
  • the identifier of the user U r is not included in the set R, no user can decrypt the cipher text CT r , and the cipher text CT r becomes meaningless information as with the dummy message ⁇ .
  • any user U p corresponding to ID p ⁇ R removes ⁇ as a dummy message and decrypts ⁇ CT q ⁇ ID_q ⁇ R ⁇ ID_p ⁇ to obtain ⁇ X q ⁇ ID_q ⁇ R ⁇ ID_p ⁇ ((ID q , X q ) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk p , CT q )).
  • the protocol BUSC will output an error message.
  • may also be information that can be identified as cipher text. For example, by making the data formats of ⁇ and CT j different from each other, an error may be determined without executing the protocol BUSC.
  • a xor B means an exclusive OR between A and B. Then, the user U p broadcasts (k′ p , T p ). Note that T p is also called third information.
  • is a dummy message selected from G 2 ⁇ 0, 1 ⁇ ⁇ _ID .
  • any user U p corresponding to ID p ⁇ R removes ⁇ as a dummy message and receives (k′ q , T q ) ID_q ⁇ R ⁇ ID_p ⁇ and (T′, T 1 ).
  • XOR A ⁇ B ⁇ C D B means D A xor D A+1 xor . . . xor D C .
  • any user U p corresponding to ID p ⁇ R encrypts MS with the session key SK using a symmetric key cryptosystem like AES, outputs a cipher text C, and broadcasts C.
  • any user U p corresponding to ID p ⁇ R removes ⁇ as a dummy message and obtains the message MS.
  • FIG. 1 shows a topology of a concealed communication system according to a first embodiment.
  • the concealed communication system includes a server device 100 , K key generation devices 200 - k (equivalent to the KGC k above), and N communication devices 300 - i (equivalent to the U i above).
  • the server device 100 is a component of a concealed communication network and is communicatively connected with the N communication devices 300 - i via a communication network 1 .
  • the K key generation devices 200 - k are each communicatively connected with the N communication devices 300 - i via the communication network 1 .
  • the server device 100 and the K key generation devices 200 - k may or may not be communicatively connected with each other.
  • this embodiment assumes that one communication device is operated by one user, one communication device may be operated by L users.
  • L is any integer greater than 1. In that case, one communication device may be regarded as L communication devices.
  • the L communication devices When L communication devices are operated by one user, the L communication devices may be regarded as one communication device.
  • the concealed communication system includes communication devices as many as the number of users of concealed communication services provided by the concealed communication system. However, when one user has more than one account, the one user may be regarded as multiple users.
  • Each of the server device 100 , the K key generation devices 200 - k , and the N communication devices 300 - i is a specially designed device configured by loading of a special program into a well-known or dedicated computer having a central processing unit (CPU), a main storage unit (random access memory: RAM), and the like, for example.
  • the server device 100 , the K key generation devices 200 - k , and the N communication devices 300 - i each perform various kinds of processing under control of the central processing unit, for example.
  • Data input to the server device 100 , the K key generation devices 200 - k , and the N communication devices 300 - i or data resulting from their processing are stored in the main storage unit, for example, and the data stored in the main storage unit is read to the central processing unit for utilization in other processing as necessary.
  • the processing components of the server device 100 , the K key generation devices 200 - k , and the N communication devices 300 - i may at least partially be composed of hardware such as integrated circuitry.
  • Storages included in the server device 100 , the K key generation devices 200 - k , and the N communication devices 300 - i may be composed of a main storage unit such as random access memory (RAM), an auxiliary storage unit formed of a hard disk, an optical disk, or a semiconductor memory element such as flash memory, or middleware such as a relational database or a key value store, for example.
  • RAM random access memory
  • auxiliary storage unit formed of a hard disk, an optical disk, or a semiconductor memory element such as flash memory
  • middleware such as a relational database or a key value store, for example.
  • FIG. 2 shows a functional block diagram of the server device 100 ;
  • FIG. 3 shows a functional block diagram of the key generation device 200 - k ; and
  • FIG. 4 shows a functional block diagram of the communication device 300 - i .
  • FIG. 5 shows an example of the processing flow of the concealed communication system.
  • the server device 100 includes a session key generation information saving unit 110 and a message saving unit 120 .
  • the key generation device 200 - k includes a master key generation unit 210 , a partial secret key generation unit 220 , and a storage 230 .
  • the communication device 300 - i includes a secret key generation unit 310 , a signature encryption unit 320 , a signature decryption unit 330 , a session key generation unit 380 , and a message sending and receiving unit 370 .
  • the session key generation unit 380 further includes a session key generation first processing unit 340 , a session key generation second processing unit 350 , and a session key generation post-processing unit 360 .
  • the communication device 300 - i communicates with at least in out of the K key generation devices 200 - k and generates a secret key (S 1 ).
  • the communication device 300 - p generates a session key which will be used in communication with other communication devices 300 - q included in a group to which the communication device 300 - p itself belongs via the server device 100 (S 2 ).
  • the secret key generated at S 1 information to be transmitted and received are encrypted and decrypted.
  • the communication device 300 - p transmits and receives messages to/from other communication devices 300 - q included in the group to which the communication device 300 - p itself belongs via the server device 100 (S 3 ).
  • the messages are encrypted and decrypted using the session key generated at S 2 . Further, using the secret key generated at S 1 , encrypted messages are encrypted and decrypted.
  • the server device 100 generates or selects system parameters (p, G, g, TCR, tPRF, tPRF′, F), stores them in a storage not shown, and discloses them.
  • system parameters p, G, g, TCR, tPRF, tPRF′, F
  • Disclose means saving something so that it is accessible to the N communication devices 300 - i included in the concealed communication system.
  • the master key generation unit 210 of each of the K key generation devices 200 - k generates a master secret key BMSK k and a master public key BMPK k using BSC.Setup ((BMSK k , BMPK k ) ⁇ BSC.Setup ( 1 ⁇ )), and discloses the master public key BMPK k .
  • the master secret key BMSK k is stored in the storage 230 and kept secret.
  • the phrase “keeping secret” means saving certain information such that it cannot be accessed by unauthorized users or other devices.
  • the partial secret key generation unit 220 of each of the K key generation devices 200 - k generates a partial secret key bsk (k) i for each communication device 300 - i using BSC.Extract with the master secret key BMSK k and the identifier ID i of each communication device 300 - i as input (bsk (k) i ⁇ BSC.Extract(BMSK k , ID i )), and transmits it to each communication device 300 - i .
  • the partial secret key generation unit 220 receives the identifier ID i and a partial key generation request from each communication device 300 - i , and generates the partial secret key bsk (k) i upon request.
  • the secret key generation unit 310 of each communication device 300 - i obtains the partial secret key bsk (k) i from each of at least m key generation devices 200 - k , concatenates the partial secret keys bsk (k) i using Combine, calculates a secret key bsk i (bsk i ⁇ Combine ( ⁇ bsk (k) i ⁇ k ⁇ [1,m] )), and stores it in a storage not shown, keeping it secret.
  • in is any integer greater than 0 and K or less.
  • each communication device 300 - i transmits and receives information that is encrypted with the secret key bsk i to/from the server device 100 , so the server device 100 is unable to decrypt the information.
  • the signature encryption unit 320 of any communication device 300 - p that belongs to the set R among the N communication devices 300 - i takes the message M, the secret key bsk p , and the set R as input, generates a cipher text CT p with BSC (CT p ⁇ BSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , ID p ⁇ M, bsk p , R′)), and transmits the cipher text CT p to the server device 100 .
  • CT p ⁇ BSC ⁇ BMPK k ⁇ k ⁇ [1,m] , ID p ⁇ M, bsk p , R′
  • the secret key bsk p is fetched from a storage not shown.
  • the set R can be acquired (for example, distributed by a representative communication device of the group) at the time of becoming a member of the group or at the time of changing a communication device belonging to the group, and the communication device 300 - p stores it in a storage not shown and fetches it at the time of broadcasting.
  • ⁇ BMPK k ⁇ k ⁇ [1,m] is acquired by receiving the one disclosed at the master key generation unit 210 of the key generation device 200 - k (k ⁇ [1, m]), storing it in a storage not shown, and fetching it at the time of broadcasting.
  • the message M is input only once in some manner within a series of exchanges (a single broadcast), and similarly the cipher text CT p is also generated only once and transmitted.
  • the message M may be information entered by the user of the communication device 300 - p or information acquired or generated based on entered information, or may be information collected by the communication device 300 - p from a storage not shown or information acquired or generated based on collected information.
  • the session key generation information saving unit 110 of the server device 100 receives the message that was encrypted by the communication device 300 - p (that is, cipher text CT p ), and stores n cipher texts such that they are downloadable by the other communication devices.
  • the session key generation information saving unit 110 also receives the dummy messages ⁇ transmitted by each communication device 300 - r not belonging to the set R, and stores N ⁇ n dummy messages such that they are downloadable by the other communication devices.
  • the signature decryption unit 330 of each of n communication devices 300 - p belonging to the set R among the N communication devices 300 - i downloads n ⁇ 1 cipher texts CT 1 , . . . , CT p ⁇ 1 , CT p+1 , . . . , CT n and N ⁇ n dummy messages ⁇ from the server device 100 .
  • the signature decryption unit 330 of the communication device 300 - i may also be configured to download n cipher texts (CT 1 , . . . , CT n ) and N ⁇ n dummy messages ⁇ and discard the cipher text CT p transmitted by the communication device 300 - p itself.
  • the signature decryption unit 330 decrypts the cipher text CT q with BUSC ((ID q , M) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk p , CT q )). If the result of decrypting the cipher text is (ID q , M), the communication device 300 - p regards M as the message transmitted from the communication device 300 - q . Further, the signature decryption unit 330 of the communication device 300 - p discards the N ⁇ n dummy messages ⁇ .
  • the signature decryption unit 330 of each of N ⁇ n communication devices 300 - r not belonging to the set R among the N communication devices 300 - i downloads n cipher texts CT 1 , . . . , CT n and N ⁇ n ⁇ 1 dummy messages ⁇ from the server device 100 .
  • the signature decryption unit 330 of the communication device 300 - i may also be configured to download n cipher texts (CT 1 , . . . , CT n ) and N ⁇ n dummy messages ⁇ and discard the dummy message c transmitted by the communication device 300 - p itself.
  • the signature decryption unit 330 discards the downloaded cipher texts (CT 1 , . . . , CT n ) and dummy messages ⁇ . Note that the signature decryption unit 330 of a communication device 300 - r not belonging to the set R is unable to decrypt the downloaded cipher texts (CT 1 , . . . , CT n ).
  • Broadcast executes the processing in the signature encryption unit 320 and the processing in the signature decryption unit 330 described above at intervals of the predetermined time T 1 .
  • the above-described processing in the signature encryption unit 320 is executed randomly in a predetermined time T ( ⁇ T 1 ).
  • the processing in the signature decryption unit 330 is executed.
  • the session key generation unit 380 of any communication device 300 - p belonging to the set R broadcasts information for use in generation of a session key (hereinafter, also called session key generation information). That is, it encrypts the session key generation information and transmits it to the server device 100 .
  • the session key generation unit 380 of any communication device 300 - r not belonging to the set R broadcasts a dummy message. That is, it transmits a dummy message to the server device 100 .
  • the session key generation unit 380 of the communication device 300 - p belonging to the set R downloads encrypted n ⁇ 1 pieces of session key generation information and N ⁇ n dummy messages ⁇ from the server device 100 , decrypts the encrypted n ⁇ 1 pieces of session key generation information using the secret key bsk p , and generates a session key using the decrypted n ⁇ 1 pieces of session key generation information and the session key generation information generated by itself.
  • the session key generation unit 380 of the communication device 300 - r not belonging to the set R downloads encrypted n pieces of session key generation information and N ⁇ n ⁇ 1 dummy messages E from the server device 100 and discards them.
  • SSK p (bsk p , st p , st ⁇ p ) in a storage not shown.
  • X p is also called the first information
  • k′ p is also called the second information.
  • the session key generation first processing unit 340 of any communication device 300 - r not belonging to the set R among the N communication devices 300 - i generates x i ⁇ R ⁇ 0, 1 ⁇ ⁇ , x ⁇ i ⁇ R salt ⁇ , k i ⁇ R ⁇ 0, 1 ⁇ ⁇ , and k ⁇ i ⁇ R salt ⁇ as the ephemeral secret key ESK i and broadcasts E. That is, it transmits ⁇ to the server device 100 .
  • is a dummy message selected from G ⁇ 0, 1 ⁇ v_ID .
  • the session key generation information saving unit 110 of the server device 100 receives encrypted n pieces of first information X p and N ⁇ n dummy messages E and stores them in a downloadable manner.
  • the session key generation second processing unit 350 of any communication device 300 - p belonging to the set R among the N communication devices 300 - i downloads n ⁇ 1 cipher texts CT 1 , . . . , CT p ⁇ 1 , CT p+1 , . . . , CT n and N ⁇ n dummy messages E from the server device 100 .
  • the session key generation second processing unit 350 removes the dummy messages ⁇ , decrypts ⁇ CT q ⁇ ID_q ⁇ R ⁇ ID_p ⁇ to obtain ⁇ X q ⁇ ID_q ⁇ R ⁇ ID_p ⁇ ((ID q , X q ) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk p , CT q )).
  • the session key generation second processing unit 350 obtains CT p ⁇ BSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , ID p ⁇ (k′ p , T p ), bsk p , R′) and transmits the cipher text CT p to the server device 100 .
  • TCR is acquired by receiving the one disclosed at the server device 100 .
  • CT 1 ⁇ BSC ⁇ BMPK k ⁇ k ⁇ [1,m] , ID 1 ⁇ (k′ 1 , T 1 ), bsk 1 , R′
  • the session key generation second processing unit 350 of any communication device 300 - r not belonging to the set R among the N communication devices 300 - i downloads all the cipher texts (CT 1 , . . . , CT n ) and N ⁇ n ⁇ 1 dummy messages ⁇ from the server device 100 and discards them. It further broadcasts a new dummy message ⁇ . That is, the session key generation second processing unit 350 transmits ⁇ to the server device 100 .
  • is a dummy message selected from G 2 ⁇ 0, 1 ⁇ v_ID .
  • the session key generation information saving unit 110 of the server device 100 receives n ⁇ 1 sets of (k′ p , T p ), one set of (T′, T 1 ), and N ⁇ n dummy messages ⁇ and stores them in a downloadable manner.
  • T p is also called the third information
  • T′ is also called the fourth information.
  • the session key generation information described above is information including the first information, the second information, the third information, and the fourth information, for example.
  • the session key generation post-processing unit 360 of any communication device 300 - p belonging to the set R among the N communication devices 300 - i downloads n ⁇ 1 cipher texts CT 1 , . . . , CT p ⁇ 1 , CT p+1 , . . . , CT n and N ⁇ n dummy messages ⁇ from the server device 100 .
  • the session key generation post-processing unit 360 removes c as dummy messages.
  • the session key generation post-processing unit 360 of any communication device 300 - p other than the representative communication device 300 - l among the n communication devices 300 - p belonging to the set R decrypts ⁇ CT q ⁇ ID_q ⁇ R ⁇ ID_p ⁇ and obtains (k′ q , T q ) ID_q ⁇ R and (T′, T 1 ) ((ID 1 , (k′ q , T q )) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk p , CT q ), (ID 1 , (T′, T 1 )) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇
  • the session key generation post-processing unit 360 of the representative communication device 300 - l among the n communication devices 300 - p belonging to the set R decrypts ⁇ CT q ⁇ ID_q ⁇ R ⁇ ID_1 ⁇ and obtains (k′ q , T q ) ID_q ⁇ R′ ((ID q , (k′ q , T q )) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk 1 , CT q )).
  • the session key generation post-processing unit 360 of any communication device 300 - r not belonging to the set R among the N communication devices 300 - i downloads all the cipher texts (CT 1 , . . . , CT n ) and N ⁇ n ⁇ 1 dummy messages ⁇ from the server device 100 and discards them.
  • the message sending and receiving unit 370 of any communication device 300 - p belonging to the set R encrypts MS with the session key SK using a symmetric key cryptosystem like AES and broadcasts a cipher text C. That is, the message sending and receiving unit 370 obtains CT p ⁇ BSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , ID p ⁇ C, bsk p , R′) and transmits the cipher text CT p to the server device 100 . As broadcast is performed at the intervals of predetermined time T 1 , processing may be performed regarding an empty message as the message MS when there is no message MS.
  • the message sending and receiving unit 370 of any communication device 300 - r not belonging to the set R broadcasts a new dummy message ⁇ . That is, the message sending and receiving unit 370 transmits ⁇ to the server device 100 without encrypting it.
  • the message saving unit 120 of the server device 100 receives encrypted n cipher texts CT 1 , . . . , CT p ⁇ 1 , CT +1 , . . . , CT n and N ⁇ n dummy messages ⁇ and stores them in a downloadable manner.
  • the message sending and receiving unit 370 of any communication device 300 - p belonging to the set R downloads n ⁇ 1 cipher texts CT 1 , . . . , CT p ⁇ 1 , CT p+1 , . . . , CT n and N ⁇ n dummy messages ⁇ from the server device 100 .
  • the message sending and receiving unit 370 removes ⁇ as dummy messages and decrypts ⁇ CT q ⁇ ID_q ⁇ R ⁇ ID_p ⁇ to obtain the cipher text C ((C, ID q ) ⁇ BUSC ( ⁇ BMPK k ⁇ k ⁇ [1,m] , bsk p , CT q )). Further, it decrypts the cipher text C with the session key SK to obtain the message MS.
  • the message sending and receiving unit 370 of any communication device 300 - r not belonging to the set R downloads n cipher texts CT 1 , . . . , CT n and N ⁇ n ⁇ 1 dummy messages ⁇ from the server device 100 , and discards them.
  • the present invention is not limited to the above embodiment and modification.
  • the above-described various kinds of processing may be executed, in addition to being executed in chronological order in accordance with the descriptions, in parallel or individually depending on the processing power of a device that executes the processing or when necessary.
  • changes may be made as appropriate without departing from the spirit of the present invention.
  • processing functions in the devices described in the above embodiment and modification may be implemented on a computer.
  • the contents of processing function to be contained in each device are written by a program With this program executed on the computer, various types of processing functions in the above-described devices are implemented on the computer.
  • the computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.
  • Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be distributed by storing the program in a storage unit of a server computer and transferring the program from the server computer to other computers via a network.
  • a computer which executes such program first stores the program recorded in a portable recording medium or transferred from a server computer once in a storage thereof, for example.
  • the computer reads out the program stored in the storage thereof and performs processing in accordance with the program thus read out.
  • the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program.
  • the computer may sequentially perform processing in accordance with the received program.
  • a configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition.
  • ASP application service provider
  • the program includes information which is provided for processing performed by electronic calculation equipment and which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).
  • the devices are assumed to be configured with a predetermined program executed on a computer. However, at least part of these processing contents may be realized in a hardware manner.

Abstract

A communication device includes a signature encryption unit that encrypts input information with a secret key and transmits the information to a server device if the communication device belongs to a group, and a signature decryption unit that downloads, from the server device, encrypted n−1 pieces of the input information transmitted from other communication devices and decrypts the encrypted n−1 pieces of input information with the secret key if the communication device belongs to a group. The communication device transmits session key generation information to the server device via the signature encryption unit, generates a session key using n−1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device, transmits a cipher text encrypted with the session key via the signature encryption unit to the server device, and decrypts n−1 cipher texts acquired via the signature decryption unit with the session key.

Description

TECHNICAL FIELD
The present invention relates to a communication protocol that can conceal metadata (such as the source and destination of communication) in the area of information communication. More particularly, it relates to a server device as a component of a concealed communication network, communication devices that utilize the concealed communication network, a concealed communication system formed of the server device and communication devices, methods for the same, and a program.
BACKGROUND ART
It is a widely known fact that intelligence agencies or the like of some nations monitor communications such as electronic mail, chat, and voice calls. As a countermeasure against it, anonymization tools such as The Onion Router (Tor) that secure the anonymity of communication by concealing metadata from communication networks have become prevalent.
One of conventional techniques is an approach (mix-net) which ensures anonymity against a concealed communication network by encrypting messages multiple times using different public keys at communication devices and shuffling the messages while repeating decryption among multiple server devices inside the concealed communication network (Non-patent Literature 1).
PRIOR ART LITERATURE Non-Patent Literature
Non-patent Literature 1: Nirvan Tyagi, Yossi Gilad, Derek Leung, Matei Zaharia, and Nickolai Zel-dovich. “Stadium: A Distributed Metadata-Private Messaging System”, [online], SOSP 2017, [searched on Dec. 22, 2017], the Internet <URL: https://eprint.iacr.org/2016/943>
SUMMARY OF THE INVENTION Problems to be Solved by the Invention
However, the mix-net-based approach has low throughput and is likely to cause delay because decrypting operations are repeated in the concealed communication network and the decrypting operations are proportional to the volume of concealed communication. It also has a disadvantage that the sender and recipient of communication are identifiable by monitoring entries to and exits from the concealed communication network.
An object of the present invention is to provide a concealed communication system, a server device, a communication device, and a concealed communication method in which decrypting operations in a concealed communication network are not proportional to the volume of concealed communication and which makes the sender and recipient of communication unidentifiable.
Means to Solve the Problems
In order to solve the above-described problem, a communication device according to an aspect of the present invention performs communication with other communication devices while keeping anonymity via a concealed communication network including a server device. The communication device includes: a secret key generation unit that generates a secret key using in partial secret keys included in K partial secret keys generated by K key generation devices, respectively; a signature encryption unit in which given that N communication devices including the communication device itself utilize concealed communication provided by the concealed communication network and that n communication devices out of the N communication devices belong to a group, (1-1) if the communication device itself belongs to the group, the signature encryption unit encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption unit transmits a dummy message to the server device; a signature decryption unit in which (2-1) if the communication device itself belongs to the group, the signature decryption unit downloads, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypts the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the signature decryption unit downloads encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices; a session key generation unit that transmits session key generation information to the server device via the signature encryption unit, the session key generation information being information for use in generation of a session key, and generates the session key using n−1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device itself; and a message sending and receiving unit that transmits a cipher text encrypted with the session key via the signature encryption unit to the server device and decrypts n−1 cipher texts acquired via the signature decryption unit with the session key.
Effects of the Invention
The present invention produces the effects of decrypting operations in a concealed communication network being not proportional to the volume of concealed communication, delay being less likely to occur, and the sender and recipient of communication being unidentifiable.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a functional block diagram of a concealed communication system according to a first embodiment.
FIG. 2 is a functional block diagram of a server device according to the first embodiment.
FIG. 3 is a functional block diagram of a key generation device according to the first embodiment.
FIG. 4 is a functional block diagram of a communication device according to the first embodiment.
FIG. 5 shows an example of the processing flow of a concealed communication system according to the first embodiment.
 DETAILED DESCRIPTION OF THE EMBODIMENTS
An embodiment of the present invention is described below. In the drawings used in the following description, components with the same function or steps with the same processing are denoted with the same reference characters and redundant description thereof is omitted. In the following description, any processing that is performed per element of a vector or matrix is intended to be applied to all the elements of the vector or matrix unless otherwise specified.
<Settings and Terminology>
π=(BSC.Setup, BSC.Extract, Combine, BSC, BUSC): any-trust doubly-anonymous ID-based broadcast signcryption scheme (AT-DAIBSC scheme). The AT-DAIBSC scheme includes the following five algorithms. BSC.Setup is an algorithm that outputs a master secret key and a master public key when a security parameter κ is input. BSC.Extract is an algorithm that outputs a partial secret key corresponding to a user identifier when the master secret key and a user identifier are input. Note that a partial secret key is assumed to be securely transmitted to a user corresponding to the user identifier. Combine is an algorithm that outputs a secret key when m partial secret keys are input. BSC is an algorithm that takes in master public keys, a message, a secret key, and a set of recipient identifiers as input and outputs a cipher text. BUSC is an algorithm that takes the in master public keys, the secret key, and the cipher text as input and outputs a message M or an error.
p: a κ-bit prime number
G: a finite cyclic group of order p with generator g
TCR: {0, 1}*→{0, 1}κ. TCR hash function (TCR means target-collision resistant)
tPRF: {0, 1}κ×Salt2 κ×{0, 1}κ→Zp (PRF means pseudo-random function)
tPRF′: {0, 1}κ×Salt2 κ×{0, 1}κ→G
tPRF and tPRF′ are twisted PRFs
F: G×{0, 1}κ→K spaceκ. A pseudo random function with K spaceκ being a session key space
<Settings>
The server device discloses (p, G, g, TCR, tPRF, tPRF′, F) as system parameters.
The kth KGCk generates a master secret key BMSKk and a master public key BMPKk using BSC.Setup (1κ) and discloses the master public key BMPKk. KGCk means the kth key generation device, and there are K key generation devices on a communication network. Here, K is any integer greater than 0.
It is assumed that there are N users (may also referred to as N communication devices) U1, . . . , UN in the present concealed communication system.
For each user Ui, every KGCk executes BSC.Extract to generate a partial secret key bsk(k), (bsk(k) i←BSC.Extract (BMSKk, IDi)). Here, i=1, 2, . . . N holds.
Upon obtaining in partial secret keys bsk(k) i, the user Ui concatenates these partial secret keys bsk(k) i using Combine and calculates a secret key bski (bski←Combine ({bsk(k) i}k∈[1,m])). Here, in is any integer greater than 0 and K or less. The in partial secret keys bsk(k) i need not necessarily be the first to the mth partial secret keys bsk(k) i, but may be in out of K partial secret keys bsk(k) i.
The user Ui also generates secret character strings sti, st˜ i (stiR{0, 1}κ,st˜ iR saltκ), and stores information on them as a static secret key SSKi=(bski, sti, st˜ i).
<Broadcast>
When a certain user Up broadcasts the message M to other users in a certain group to which the user Up belongs (when the user Up transmits the message M without specifying recipients) in a series of exchanges, the user Up executes the following processing. Here, the total number of users belonging to the group to which the user Up belongs is represented as n (n≤N) and the set of those users is represented as R. In this example, assume that R=(IDi_1, . . . , IDi_n)=(ID1, . . . , IDn) (the first to the nth communication devices belong to the group) for the sake of simplicity. Here, similar processing could be performed on the assumption that any n communication devices out of N communication devices belong to the group. Thus, in this example, p=1, 2, . . . , n holds, and the set excluding the user Up from the set R is defined as R\{IDp}=R′=(ID1, . . . , IDp−1, IDp+1, . . . , IDn). Any user other than the user Up who belongs to the group is represented as Uq, where q=1, 2, . . . , n and p≠q hold. A user who uses the concealed communication system and who does not belong to the group is represented as Ur, where r=n+1, n+2, . . . , N holds.
(Signature) The user Up generates a cipher text CTp with BSC (CTp←BSC (IBMPKk{k}k∈[1,m], IDp∥M, bskp, R′)), and transmits the cipher text CTp to the server device. Here, it is assumed that the user Up can transmit the cipher text CTp only once in a series of exchanges (a single broadcast). The user Ur transmits a dummy message ε to the server device.
(Downloading and verification) A user Uq who corresponds to IDq belonging to R′ downloads n−1 cipher texts (CT1, . . . , CTq+1, . . . , CTn) and N−n dummy messages ε from the server device. The user Uq decrypts the cipher text with BUSC ((IDp, M)←BUSC ({BMPKk}k∈[1,m], bskq, CTp)). If the result of decrypting the cipher text is (IDp, M), the user Uq regards M as the message transmitted from the user Up.
Broadcast executes the (Signature) process and (Downloading and verification) process described above at intervals of a predetermined time T1. For example, a user randomly executes the (Signature) process described above within a predetermined time T (<T1). When the predetermined time T has elapsed, the user executes the (Downloading and verification) process.
<Session Key Generation>
A group of users U1, . . . , Un start a new session and share a session key. In this protocol, “broadcasting M” means that M is transmitted to the all the users in the group through the following processing.
(Step 1)
Any user Up corresponding to IDp∈R generates xpR{0, 1}κ, x˜ pR saltκ, kpR{0, 1}κ, and k˜ pR salt, as ESKp (an ephemeral secret key for the user Up) and calculates x′p=tPRF (st˜ p, xp, stp, x˜ p) and k′p=tPRF′(st˜ p, kp, stp, k˜ p). Then, the user Up calculates Xp=gx′_p and broadcasts Xp as a cipher text CTp. That is, the user Up obtains CTp←BSC ({BMPKk}k∈[1,m], IDp∥Xp, bskp, R′) and transmits the cipher text CTp to the server device. Note that Xp is also called first information and k′p is also called second information.
Any user Ur who corresponds to IDr∈(ID1, . . . , IDN)\R (IDr included in the difference set between the set of all the IDs (ID1, . . . , IDN) and a subset R of IDs) generates xrR{0, 1}κ, x˜ rR saltκ, krR{0, 1}κ, and k˜ rR saltκ as ESKr and broadcasts ε as a cipher text CTr. Here, ε is a dummy message selected from G×{0, 1}ν_ID. The user Ur may also obtain CTr←BSC ({BMPKk}k∈[1,m], IDr∥ε, bskr, R′) and transmit the cipher text CTr to the server device. However, since the identifier of the user Ur is not included in the set R, no user can decrypt the cipher text CTr, and the cipher text CTr becomes meaningless information as with the dummy message ε.
(Step 2)
After downloading the message, any user Up corresponding to IDp∈R removes ε as a dummy message and decrypts {CTq}ID_q∈R\{ID_p} to obtain {Xq}ID_q∈R\{ID_p} ((IDq, Xq)←BUSC ({BMPKk}k∈[1,m], bskp, CTq)). If the user Up downloads a dummy message or the cipher text thereof and performs decryption processing on it, the protocol BUSC will output an error message. ε may also be information that can be identified as cipher text. For example, by making the data formats of ε and CTj different from each other, an error may be determined without executing the protocol BUSC.
Any user Up (though excluding user U1) calculates sid=TCR(CT1, . . . , CTn) and Tp=Xx′_p p−1 xor Xx′_p p+1. Here, A xor B means an exclusive OR between A and B. Then, the user Up broadcasts (k′p, Tp). Note that Tp is also called third information.
The user U1 calculates sid=TCR(CT1, . . . , CTn), T1=Xx′_1 n xor Xx′_1 2 and T′=Xx′_1 n xor k′1. Then, the user U1 broadcasts (T′, T1). Note that T′ is also called fourth information.
Any user Ur corresponding to IDr∈(ID1, . . . , IDN)\R broadcasts ε. Here, ε is a dummy message selected from G2×{0, 1}ν_ID.
(Session Key Generation and Post-Calculation)
After downloading the message, any user Up corresponding to IDp∈R removes ε as a dummy message and receives (k′q, Tq)ID_q∈R\{ID_p} and (T′, T1).
Any user Up (though excluding the user U1) calculates k′1=T′ xor Xx′_p p−1 xor (XOR1≤j≤p−1 Tj) and SK=F(XOR1≤p≤n k′p, sid). XORA≤B≤C DB means DA xor DA+1 xor . . . xor DC.
The user U1 calculates SK=F(XOR1≤p≤n k′p, sid).
(Transmission and Reception of Message)
When transmitting a message MS, any user Up corresponding to IDp∈R encrypts MS with the session key SK using a symmetric key cryptosystem like AES, outputs a cipher text C, and broadcasts C.
After downloading the message, any user Up corresponding to IDp∈R removes ε as a dummy message and obtains the message MS.
A system for implementing the above-described concealed communication is now described.
First Embodiment
FIG. 1 shows a topology of a concealed communication system according to a first embodiment.
The concealed communication system includes a server device 100, K key generation devices 200-k (equivalent to the KGCk above), and N communication devices 300-i (equivalent to the Ui above). Here, k=1, 2, . . . , K and i=1, 2, . . . , N hold.
The server device 100 is a component of a concealed communication network and is communicatively connected with the N communication devices 300-i via a communication network 1. The K key generation devices 200-k are each communicatively connected with the N communication devices 300-i via the communication network 1. Note that the server device 100 and the K key generation devices 200-k may or may not be communicatively connected with each other. In addition, although this embodiment assumes that one communication device is operated by one user, one communication device may be operated by L users. Here, L is any integer greater than 1. In that case, one communication device may be regarded as L communication devices. When L communication devices are operated by one user, the L communication devices may be regarded as one communication device. The point is that the concealed communication system includes communication devices as many as the number of users of concealed communication services provided by the concealed communication system. However, when one user has more than one account, the one user may be regarded as multiple users.
Each of the server device 100, the K key generation devices 200-k, and the N communication devices 300-i is a specially designed device configured by loading of a special program into a well-known or dedicated computer having a central processing unit (CPU), a main storage unit (random access memory: RAM), and the like, for example. The server device 100, the K key generation devices 200-k, and the N communication devices 300-i each perform various kinds of processing under control of the central processing unit, for example. Data input to the server device 100, the K key generation devices 200-k, and the N communication devices 300-i or data resulting from their processing are stored in the main storage unit, for example, and the data stored in the main storage unit is read to the central processing unit for utilization in other processing as necessary. The processing components of the server device 100, the K key generation devices 200-k, and the N communication devices 300-i may at least partially be composed of hardware such as integrated circuitry. Storages included in the server device 100, the K key generation devices 200-k, and the N communication devices 300-i may be composed of a main storage unit such as random access memory (RAM), an auxiliary storage unit formed of a hard disk, an optical disk, or a semiconductor memory element such as flash memory, or middleware such as a relational database or a key value store, for example.
FIG. 2 shows a functional block diagram of the server device 100; FIG. 3 shows a functional block diagram of the key generation device 200-k; and FIG. 4 shows a functional block diagram of the communication device 300-i. FIG. 5 shows an example of the processing flow of the concealed communication system.
The server device 100 includes a session key generation information saving unit 110 and a message saving unit 120.
The key generation device 200-k includes a master key generation unit 210, a partial secret key generation unit 220, and a storage 230.
The communication device 300-i includes a secret key generation unit 310, a signature encryption unit 320, a signature decryption unit 330, a session key generation unit 380, and a message sending and receiving unit 370. The session key generation unit 380 further includes a session key generation first processing unit 340, a session key generation second processing unit 350, and a session key generation post-processing unit 360.
The communication device 300-i communicates with at least in out of the K key generation devices 200-k and generates a secret key (S1).
Next, the communication device 300-p generates a session key which will be used in communication with other communication devices 300-q included in a group to which the communication device 300-p itself belongs via the server device 100 (S2). Using the secret key generated at S1, information to be transmitted and received are encrypted and decrypted.
The communication device 300-p transmits and receives messages to/from other communication devices 300-q included in the group to which the communication device 300-p itself belongs via the server device 100 (S3). The messages are encrypted and decrypted using the session key generated at S2. Further, using the secret key generated at S1, encrypted messages are encrypted and decrypted.
The contents of processing will be described more specifically below.
<S1: Secret Key Generation>
The server device 100 generates or selects system parameters (p, G, g, TCR, tPRF, tPRF′, F), stores them in a storage not shown, and discloses them. The term “disclose” means saving something so that it is accessible to the N communication devices 300-i included in the concealed communication system.
The master key generation unit 210 of each of the K key generation devices 200-k generates a master secret key BMSKk and a master public key BMPKk using BSC.Setup ((BMSKk, BMPKk)←BSC.Setup (1 κ)), and discloses the master public key BMPKk. The master secret key BMSKk is stored in the storage 230 and kept secret. The phrase “keeping secret” means saving certain information such that it cannot be accessed by unauthorized users or other devices.
The partial secret key generation unit 220 of each of the K key generation devices 200-k generates a partial secret key bsk(k) i for each communication device 300-i using BSC.Extract with the master secret key BMSKk and the identifier IDi of each communication device 300-i as input (bsk(k) i←BSC.Extract(BMSKk, IDi)), and transmits it to each communication device 300-i. For example, the partial secret key generation unit 220 receives the identifier IDi and a partial key generation request from each communication device 300-i, and generates the partial secret key bsk(k) i upon request.
The secret key generation unit 310 of each communication device 300-i obtains the partial secret key bsk(k) i from each of at least m key generation devices 200-k, concatenates the partial secret keys bsk(k) i using Combine, calculates a secret key bski (bski←Combine ({bsk(k) i}k∈[1,m])), and stores it in a storage not shown, keeping it secret. Here, in is any integer greater than 0 and K or less.
Further, the secret key generation unit 310 generates secret character strings sti, st˜ i (stiκ{0, 1}κ, st˜ iRsaltκ), stores a static secret key SSKi=(bski, sti, st˜ i) in a storage not shown, and keeps it secret.
In the subsequent processing, each communication device 300-i transmits and receives information that is encrypted with the secret key bski to/from the server device 100, so the server device 100 is unable to decrypt the information.
<Broadcast>
A way for a communication device 300-p belonging to a certain group to broadcast the message M to other communication devices 300-q belonging to that group is now described.
<<Signature Encryption Processing>>
The signature encryption unit 320 of any communication device 300-p that belongs to the set R among the N communication devices 300-i takes the message M, the secret key bskp, and the set R as input, generates a cipher text CTp with BSC (CTp←BSC ({BMPKk}k∈[1,m], IDp∥M, bskp, R′)), and transmits the cipher text CTp to the server device 100. The secret key bskp is fetched from a storage not shown. The set R can be acquired (for example, distributed by a representative communication device of the group) at the time of becoming a member of the group or at the time of changing a communication device belonging to the group, and the communication device 300-p stores it in a storage not shown and fetches it at the time of broadcasting. {BMPKk}k∈[1,m] is acquired by receiving the one disclosed at the master key generation unit 210 of the key generation device 200-k (k∈[1, m]), storing it in a storage not shown, and fetching it at the time of broadcasting. The message M is input only once in some manner within a series of exchanges (a single broadcast), and similarly the cipher text CTp is also generated only once and transmitted. For example, the message M may be information entered by the user of the communication device 300-p or information acquired or generated based on entered information, or may be information collected by the communication device 300-p from a storage not shown or information acquired or generated based on collected information.
The signature encryption unit 320 of any communication device 300-r (r=n+1, n+2, N) that does not belong to the set R among the N communication devices 300-i selects the dummy message c from G×{0, 1}v_ID and transmits it to the server device 100.
The session key generation information saving unit 110 of the server device 100 receives the message that was encrypted by the communication device 300-p (that is, cipher text CTp), and stores n cipher texts such that they are downloadable by the other communication devices. The session key generation information saving unit 110 also receives the dummy messages ε transmitted by each communication device 300-r not belonging to the set R, and stores N−n dummy messages such that they are downloadable by the other communication devices.
<<Signature Decryption Processing>>
The signature decryption unit 330 of each of n communication devices 300-p belonging to the set R among the N communication devices 300-i downloads n−1 cipher texts CT1, . . . , CTp−1, CTp+1, . . . , CTn and N−n dummy messages ε from the server device 100. However, the signature decryption unit 330 of the communication device 300-i may also be configured to download n cipher texts (CT1, . . . , CTn) and N−n dummy messages ε and discard the cipher text CTp transmitted by the communication device 300-p itself. Further, the signature decryption unit 330 decrypts the cipher text CTq with BUSC ((IDq, M)←BUSC ({BMPKk}k∈[1,m], bskp, CTq)). If the result of decrypting the cipher text is (IDq, M), the communication device 300-p regards M as the message transmitted from the communication device 300-q. Further, the signature decryption unit 330 of the communication device 300-p discards the N−n dummy messages ε.
The signature decryption unit 330 of each of N−n communication devices 300-r not belonging to the set R among the N communication devices 300-i downloads n cipher texts CT1, . . . , CTn and N−n−1 dummy messages ε from the server device 100. However, the signature decryption unit 330 of the communication device 300-i may also be configured to download n cipher texts (CT1, . . . , CTn) and N−n dummy messages ε and discard the dummy message c transmitted by the communication device 300-p itself.
Further, the signature decryption unit 330 discards the downloaded cipher texts (CT1, . . . , CTn) and dummy messages ε. Note that the signature decryption unit 330 of a communication device 300-r not belonging to the set R is unable to decrypt the downloaded cipher texts (CT1, . . . , CTn).
Broadcast executes the processing in the signature encryption unit 320 and the processing in the signature decryption unit 330 described above at intervals of the predetermined time T1. For example, the above-described processing in the signature encryption unit 320 is executed randomly in a predetermined time T (<T1). When the predetermined time T has elapsed, the processing in the signature decryption unit 330 is executed.
<S2: Session Key Generation>
The session key generation unit 380 of any communication device 300-p belonging to the set R broadcasts information for use in generation of a session key (hereinafter, also called session key generation information). That is, it encrypts the session key generation information and transmits it to the server device 100.
The session key generation unit 380 of any communication device 300-r not belonging to the set R broadcasts a dummy message. That is, it transmits a dummy message to the server device 100.
When the predetermined time T has elapsed, the session key generation unit 380 of the communication device 300-p belonging to the set R downloads encrypted n−1 pieces of session key generation information and N−n dummy messages ε from the server device 100, decrypts the encrypted n−1 pieces of session key generation information using the secret key bskp, and generates a session key using the decrypted n−1 pieces of session key generation information and the session key generation information generated by itself.
When the predetermined time T has elapsed, the session key generation unit 380 of the communication device 300-r not belonging to the set R downloads encrypted n pieces of session key generation information and N−n−1 dummy messages E from the server device 100 and discards them.
A specific example of the processing performed by the session key generation unit 380 is now described.
<<Session Key Generation First Processing>>
The session key generation first processing unit 340 of any communication device 300-p belonging to the set R among the N communication devices 300-i generates xpR{0, 1}κ, x˜ pR saltκ, kpR{0, 1}κ, and k˜ pR saltκ as an ephemeral secret key ESKp, and calculates x′p=tPRF (st˜ p, xp, stp, x˜ p) and k′p=tPRF′(st˜ p, kp, stp, k˜ p). Further, the session key generation first processing unit 340 calculates Xp=gx′_p and broadcasts Xp. That is, it obtains CTp←BSC ({BMPKk}k∈[1,m], IDp∥Xp, bskp, R′) and transmits the cipher text CTp to the server device 100. tPRF, tPRF′, and g are acquired by receiving the ones disclosed at the server device 100, and st˜ p and stp are acquired by fetching the ones stored as the static secret key SSKp=(bskp, stp, st˜ p) in a storage not shown. Note that, as mentioned previously, Xp is also called the first information and k′p is also called the second information.
The session key generation first processing unit 340 of any communication device 300-r not belonging to the set R among the N communication devices 300-i generates xiR{0, 1}κ, x˜ iR saltκ, kiR{0, 1}κ, and k˜ iR saltκ as the ephemeral secret key ESKi and broadcasts E. That is, it transmits ε to the server device 100. Here, ε is a dummy message selected from G×{0, 1}v_ID.
The session key generation information saving unit 110 of the server device 100 receives encrypted n pieces of first information Xp and N−n dummy messages E and stores them in a downloadable manner.
<<Session Key Generation Second Processing>>
The session key generation second processing unit 350 of any communication device 300-p belonging to the set R among the N communication devices 300-i downloads n−1 cipher texts CT1, . . . , CTp−1, CTp+1, . . . , CTn and N−n dummy messages E from the server device 100. The session key generation second processing unit 350 removes the dummy messages ε, decrypts {CTq}ID_q∈R\{ID_p} to obtain {Xq}ID_q∈R\{ID_p} ((IDq, Xq)←BUSC ({BMPKk}k∈[1,m], bskp, CTq)).
The session key generation second processing unit 350 of any communication device 300-p other than a communication device that serves as a representative (hereinafter, also called a representative communication device) among the n communication devices 300-p belonging to the set R calculates sid=TCR(CT1, . . . , CTn) and Tp=Xx′_p p−1 xor Xx′_p p+1, and broadcasts (k′p, Tp). That is, the session key generation second processing unit 350 obtains CTp←BSC ({BMPKk}k∈[1,m], IDp∥(k′p, Tp), bskp, R′) and transmits the cipher text CTp to the server device 100. TCR is acquired by receiving the one disclosed at the server device 100.
The session key generation second processing unit 350 of the representative communication device (for example, communication device 300-l) among the n communication devices 300-p belonging to the set R calculates sid=TCR(CT1, . . . , CTn) and T1=Xx′_1 n xor Xx′_1 2 and T′=Xx′_1 n xor k′1, and broadcasts (T′, T1). That is, it obtains CT1←BSC ({BMPKk}k∈[1,m], ID1∥(k′1, T1), bsk1, R′) and transmits the cipher text CT1 to the server device 100.
The session key generation second processing unit 350 of any communication device 300-r not belonging to the set R among the N communication devices 300-i downloads all the cipher texts (CT1, . . . , CTn) and N−n−1 dummy messages ε from the server device 100 and discards them. It further broadcasts a new dummy message ε. That is, the session key generation second processing unit 350 transmits ε to the server device 100. Here, ε is a dummy message selected from G2×{0, 1}v_ID.
The session key generation information saving unit 110 of the server device 100 receives n−1 sets of (k′p, Tp), one set of (T′, T1), and N−n dummy messages ε and stores them in a downloadable manner. Note that, as mentioned previously, Tp is also called the third information and T′ is also called the fourth information. The session key generation information described above is information including the first information, the second information, the third information, and the fourth information, for example.
<<Session Key Generation Post-Processing>>
The session key generation post-processing unit 360 of any communication device 300-p belonging to the set R among the N communication devices 300-i downloads n−1 cipher texts CT1, . . . , CTp−1, CTp+1, . . . , CTn and N−n dummy messages ε from the server device 100. The session key generation post-processing unit 360 removes c as dummy messages.
The session key generation post-processing unit 360 of any communication device 300-p other than the representative communication device 300-l among the n communication devices 300-p belonging to the set R decrypts {CTq}ID_q∈R\{ID_p} and obtains (k′q, Tq)ID_q∈R and (T′, T1) ((ID1, (k′q, Tq))←BUSC ({BMPKk}k∈[1,m], bskp, CTq), (ID1, (T′, T1))←BUSC ({BMPKk}k∈|1,m|, bskp, CT1)). The session key generation post-processing unit 360 calculates k′1=T′ xor Xx′_p p−1 xor (XOR1≤q≤p−1 Tq) and SK=F(XOR1≤p≤n k′p, sid) to obtain the session key SK.
The session key generation post-processing unit 360 of the representative communication device 300-l among the n communication devices 300-p belonging to the set R decrypts {CTq}ID_q∈R\{ID_1} and obtains (k′q, Tq)ID_q∈R′ ((IDq, (k′q, Tq))←BUSC ({BMPKk}k∈[1,m], bsk1, CTq)). The session key generation post-processing unit 360 calculates SK=F(XOR1≤i≤n k′i, sid) to obtain the session key SK.
The session key generation post-processing unit 360 of any communication device 300-r not belonging to the set R among the N communication devices 300-i downloads all the cipher texts (CT1, . . . , CTn) and N−n−1 dummy messages ε from the server device 100 and discards them.
<S4: Message Transmission and Reception>
<<Message Transmission>>
The message sending and receiving unit 370 of any communication device 300-p belonging to the set R encrypts MS with the session key SK using a symmetric key cryptosystem like AES and broadcasts a cipher text C. That is, the message sending and receiving unit 370 obtains CTp←BSC ({BMPKk}k∈[1,m], IDp∥C, bskp, R′) and transmits the cipher text CTp to the server device 100. As broadcast is performed at the intervals of predetermined time T1, processing may be performed regarding an empty message as the message MS when there is no message MS.
The message sending and receiving unit 370 of any communication device 300-r not belonging to the set R broadcasts a new dummy message ε. That is, the message sending and receiving unit 370 transmits ε to the server device 100 without encrypting it.
The message saving unit 120 of the server device 100 receives encrypted n cipher texts CT1, . . . , CTp−1, CT+1, . . . , CTn and N−n dummy messages ε and stores them in a downloadable manner.
<<Message Reception>>
The message sending and receiving unit 370 of any communication device 300-p belonging to the set R downloads n−1 cipher texts CT1, . . . , CTp−1, CTp+1, . . . , CTn and N−n dummy messages ε from the server device 100. The message sending and receiving unit 370 removes ε as dummy messages and decrypts {CTq}ID_q∈R\{ID_p} to obtain the cipher text C ((C, IDq)←BUSC ({BMPKk}k∈[1,m], bskp, CTq)). Further, it decrypts the cipher text C with the session key SK to obtain the message MS.
The message sending and receiving unit 370 of any communication device 300-r not belonging to the set R downloads n cipher texts CT1, . . . , CTn and N−n−1 dummy messages ε from the server device 100, and discards them.
<Effects>
With the configuration described above, no decryption operation is required at the server device, which is a component of the concealed communication network. Moreover, since all the communication devices that receive concealed communication services transmit data to the server device and all the communication devices download data from the server device, the communication devices as the source and destination of data transmission are not identifiable. In other words, metadata concealed communication is realized that reduces operations performed in the concealed communication network to a constant number of times and thus improves the throughput, by concealing metadata using a number of key exchange devices and exchanging a session key among communication devices to ensure anonymity against the concealed communication network beforehand. It also makes the source and destination of transmission unidentifiable by always producing communication between all the communication devices and the concealed communication network. For example, a network like The Onion Router (Tor) can be provided to a global enterprise or a company that utilizes satellite communications, and confidentiality in communication, including metadata, can be ensured.
<Other Modifications>
The present invention is not limited to the above embodiment and modification. For example, the above-described various kinds of processing may be executed, in addition to being executed in chronological order in accordance with the descriptions, in parallel or individually depending on the processing power of a device that executes the processing or when necessary. In addition, changes may be made as appropriate without departing from the spirit of the present invention.
<Program and Recording Medium>
Further, various types of processing functions in the devices described in the above embodiment and modification may be implemented on a computer. In that case, the contents of processing function to be contained in each device are written by a program With this program executed on the computer, various types of processing functions in the above-described devices are implemented on the computer.
This program in which the contents of processing are written can be recorded in a computer-readable recording medium. The computer-readable recording medium may be any medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.
Distribution of this program is implemented by sales, transfer, rental, and other transactions of a portable recording medium such as a DVD and a CD-ROM on which the program is recorded, for example. Furthermore, this program may be distributed by storing the program in a storage unit of a server computer and transferring the program from the server computer to other computers via a network.
A computer which executes such program first stores the program recorded in a portable recording medium or transferred from a server computer once in a storage thereof, for example. When the processing is performed, the computer reads out the program stored in the storage thereof and performs processing in accordance with the program thus read out. As another execution form of this program, the computer may directly read out the program from a portable recording medium and perform processing in accordance with the program. Furthermore, each time the program is transferred to the computer from the server computer, the computer may sequentially perform processing in accordance with the received program. Alternatively, a configuration may be adopted in which the transfer of a program to the computer from the server computer is not performed and the above-described processing is executed by so-called application service provider (ASP)-type service by which the processing functions are implemented only by an instruction for execution thereof and result acquisition. It should be noted that the program includes information which is provided for processing performed by electronic calculation equipment and which is equivalent to a program (such as data which is not a direct instruction to the computer but has a property specifying the processing performed by the computer).
Moreover, the devices are assumed to be configured with a predetermined program executed on a computer. However, at least part of these processing contents may be realized in a hardware manner.

Claims (9)

What is claimed is:
1. A communication device that performs communication with other communication devices while keeping anonymity via a concealed communication network including a server device, the communication device comprising:
processing circuitry configured to implement
a secret key generation unit that generates a secret key using m partial secret keys included in K partial secret keys generated by K key generation devices, respectively;
a signature encryption unit in which given that N communication devices including the communication device itself utilize concealed communication provided by the concealed communication network and that n communication devices out of the N communication devices belong to a group, (1-1) if the communication device itself belongs to the group, the signature encryption unit encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption unit transmits a dummy message to the server device;
a signature decryption unit in which (2-1) if the communication device itself belongs to the group, the signature decryption unit downloads, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypts the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the signature decryption unit downloads encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices;
a session key generation unit that transmits session key generation information to the server device via the signature encryption unit, the session key generation information being information for use in generation of a session key, and generates the session key using n−1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device itself; and
a message sending and receiving unit that transmits a cipher text encrypted with the session key via the signature encryption unit to the server device and decrypts n−1 cipher texts acquired via the signature decryption unit with the session key.
2. A server device as a component of a concealed communication network that provides concealed communication to N communication devices, wherein n communication devices out of the N communication devices belong to a group, and each of the communication devices includes processing circuitry configured to implement a secret key generation unit that generates a secret key using m partial secret keys included in K partial secret keys generated by K key generation devices, respectively, a signature encryption unit in which (1-1) if the communication device itself belongs to the group, the signature encryption unit encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption unit transmits a dummy message to the server device, a signature decryption unit in which (2-1) if the communication device itself belongs to the group, the signature decryption unit downloads, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypts the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the signature decryption unit downloads encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices, a session key generation unit that transmits session key generation information to the server device via the signature encryption unit, the session key generation information being information for use in generation of a session key, and generates the session key using n−1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device itself, and a message sending and receiving unit that transmits a cipher text encrypted with the session key via the signature encryption unit to the server device and decrypts n−1 cipher texts acquired via the signature decryption unit with the session key, the server device comprising:
processing circuitry configured to implement
a session key generation information saving unit that receives encrypted n pieces of the session key generation information and N−n number of the dummy messages and stores them in a downloadable manner; and
a message saving unit that receives encrypted n number of the cipher texts and N−n number of the dummy messages and stores them in a downloadable manner.
3. A concealed communication system comprising:
a server device;
K key generation devices; and
N communication devices, wherein
n communication devices out of the N communication devices belong to a group,
each of the communication devices includes processing circuitry configured to implement
a secret key generation unit that generates a secret key using m partial secret keys included in K partial secret keys generated by the K key generation devices, respectively,
a signature encryption unit in which (1-1) if the communication device itself belongs to the group, the signature encryption unit encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption unit transmits a dummy message to the server device,
a signature decryption unit in which (2-1) if the communication device itself belongs to the group, the signature decryption unit downloads, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypts the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the signature decryption unit downloads encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices,
a session key generation unit that transmits session key generation information to the server device via the signature encryption unit, the session key generation information being information for use in generation of a session key, and generates the session key using n−1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device itself, and
a message sending and receiving unit that transmits a cipher text encrypted with the session key via the signature encryption unit to the server device and decrypts n−1 cipher texts acquired via the signature decryption unit with the session key, and the server device includes processing circuitry configured to implement
a session key generation information saving unit that receives encrypted n pieces of the session key generation information and N−n number of the dummy messages and stores them in a downloadable manner, and
a message saving unit that receives encrypted n number of the cipher texts and N−n number of the dummy messages and stores them in a downloadable manner.
4. The concealed communication system according to claim 3, wherein
the processing circuitry of each of the communication devices further implements the session key generation unit to include
a session key generation first processing unit in which (i-1) if the communication device itself belongs to the group, the session key generation first processing unit generates an ephemeral secret key, generates first information Xp and second information k′p using the ephemeral secret key, and transmits the first information Xp to the server device via the signature encryption unit, and (i-2) if the communication device itself does not belong to the group, the session key generation first processing unit transmits a dummy message to the server device,
a session key generation second processing unit in which (ii-1) if the communication device itself is a communication device other than a representative communication device belonging to the group, the session key generation second processing unit acquires n−1 pieces of first information Xq via the signature decryption unit, generates third information Tp from at least two pieces of the first information out of the n−1 pieces of the first information Xq, and transmits the second information k′p and the third information Tp to the server device via the signature encryption unit, and (ii-2) if the communication device itself is a representative communication device belonging to the group, the session key generation second processing unit acquires n−1 pieces of the first information Xq via the signature decryption unit, generates third information Tp from at least two pieces of the first information out of the n−1 pieces of the first information Xq, generates fourth information T′ from at least one piece of the first information out of the n−1 pieces of the first information Xq and from the second information k′p of the representative communication device, and transmits the third information Tp and the fourth information T′ to the server device via the signature encryption unit, and (ii-3) if the communication device itself does not belong to the group, the session key generation second processing unit acquires n pieces of the first information via the signature encryption unit and transmits a dummy message to the server device, and
a session key generation post-processing unit in which (iii-1) if the communication device itself is a communication device other than a representative communication device belonging to the group, the session key generation post-processing unit acquires n−1 pieces of third information Tq, n−2 pieces of second information k′q, and the fourth information T′ via the signature decryption unit, obtains the second information k′q of the representative communication device from at least one piece of the first information out of n−1 pieces of the first information Xq and from the fourth information T′, and generates a session key from n pieces of the second information k′p, and (iii-2) if the communication device itself is a representative communication device belonging to the group, the session key generation post-processing unit acquires n−1 pieces of the third information Tq and n−1 pieces of the second information k′q via the signature decryption unit and generates a session key from the n pieces of the second information k′p, and
the session key generation information includes the first information, the second information, the third information, and the fourth information.
5. A concealed communication method using a communication device that performs communication with other communication devices via a concealed communication network including a server device, comprising:
a secret key generation step of generating a secret key using m partial secret keys included in K partial secret keys generated by K key generation devices, respectively;
a signature encryption step in which given that N communication devices including the communication device itself utilize concealed communication provided by the concealed communication network and that n communication devices out of the N communication devices belong to a group, (1-1) if the communication device itself belongs to the group, the signature encryption step includes encrypting input information with the secret key and transmitting the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption step includes transmitting a dummy message to the server device;
a signature decryption step in which (2-1) if the communication device itself belongs to the group, the signature decryption step includes downloading, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypting the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the signature decryption step includes downloading encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices;
a session key generation step of transmitting session key generation information to the server device via the signature encryption step, the session key generation information being information for use in generation of a session key, and generating the session key using n−1 pieces of session key generation information acquired via the signature decryption step and session key generation information of the communication device itself; and
a message sending and receiving step of transmitting a cipher text encrypted with the session key via the signature encryption step to the server device and decrypting n−1 cipher texts acquired via the signature decryption step with the session key.
6. A concealed communication method using a server device as a component of a concealed communication network that provides concealed communication to N communication devices, wherein n communication devices out of the N communication devices belong to a group, each of the communication devices includes a secret key generation unit that generates a secret key using m partial secret keys included in K partial secret keys generated by K key generation devices, respectively, a signature encryption unit in which (1-1) if the communication device itself belongs to the group, the signature encryption unit encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the signature encryption unit transmits a dummy message to the server device, a signature decryption unit in which (2-1) if the communication device itself belongs to the group, the signature decryption unit downloads, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypts the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the signature decryption unit downloads encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices, a session key generation unit that transmits session key generation information to the server device via the signature encryption unit, the session key generation information being information for use in generation of a session key, and generates the session key using n−1 pieces of session key generation information acquired via the signature decryption unit and session key generation information of the communication device itself, and a message sending and receiving unit that transmits a cipher text encrypted with the session key via the signature encryption unit to the server device and decrypts n−1 cipher texts acquired via the signature decryption unit with the session key, and concealed communication method comprising:
a session key generation information saving step of receiving encrypted n pieces of the session key generation information and N−n number of the dummy messages and storing them in a downloadable manner, and
a message saving step of receiving encrypted n number of the cipher texts and N−n number of the dummy messages and storing them in a downloadable manner.
7. A concealed communication method using a server device, K key generation devices, and N communication devices, wherein n communication devices out of the N communication devices belong to a group, the concealed communication method comprising:
a secret key generation step in which each of the communication devices generates a secret key using m partial secret keys included in K partial secret keys generated by the K key generation devices, respectively;
a signature encryption step in which (1-1) if the communication device itself belongs to the group, the communication device encrypts input information with the secret key and transmits the information to the server device, and (1-2) if the communication device itself does not belong to the group, the communication device transmits a dummy message to the server device;
a signature decryption step in which (2-1) if the communication device itself belongs to the group, the communication device downloads, from the server device, encrypted n−1 pieces of the input information and N−n number of the dummy messages transmitted from the other communication devices and decrypts the encrypted n−1 pieces of the input information with the secret key, and (2-2) if the communication device itself does not belong to the group, the communication device downloads encrypted n pieces of the input information and N−n−1 number of the dummy messages transmitted from the other communication devices;
a step in which the communication device transmits session key generation information to the server device via the signature encryption step, the session key generation information being information for use in generation of a session key;
a session key generation information saving step in which the server device receives encrypted n pieces of the session key generation information and N−n number of the dummy messages and stores them in a downloadable manner;
a session key generation step in which the communication device generates the session key using n−1 pieces of session key generation information acquired via the signature decryption step and session key generation information of the communication device itself;
a step in which the communication device transmits a cipher text encrypted with the session key via the signature encryption step to the server device;
a message saving step in which the server device receives encrypted n number of the cipher texts and N−n number of the dummy messages and stores them in a downloadable manner; and
a message sending and receiving step in which the communication device decrypts n−1 cipher texts acquired via the signature decryption step with the session key.
8. A non-transitory computer-readable medium that stores a program for causing a computer to function as the communication device according to claim 1.
9. A non-transitory computer-readable medium that stores a program for causing a computer to function as the server device according to claim 2.
US16/960,129 2018-01-18 2019-01-16 Communication device, server device, concealed communication system, methods for the same, and program Active 2039-06-14 US11451518B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2018-006172 2018-01-18
JP2018006172A JP6842090B2 (en) 2018-01-18 2018-01-18 Communication equipment, server equipment, secret communication systems, methods, and programs
JPJP2018-006172 2018-01-18
PCT/JP2019/001097 WO2019142824A1 (en) 2018-01-18 2019-01-16 Communication device, server device, secret communication system, method thereof, and program

Publications (2)

Publication Number Publication Date
US20210126906A1 US20210126906A1 (en) 2021-04-29
US11451518B2 true US11451518B2 (en) 2022-09-20

Family

ID=67301044

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/960,129 Active 2039-06-14 US11451518B2 (en) 2018-01-18 2019-01-16 Communication device, server device, concealed communication system, methods for the same, and program

Country Status (3)

Country Link
US (1) US11451518B2 (en)
JP (1) JP6842090B2 (en)
WO (1) WO2019142824A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112600665B (en) * 2020-12-25 2023-12-01 江苏通付盾区块链科技有限公司 Hidden communication method, device and system based on block chain and encryption technology

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5606615A (en) * 1995-05-16 1997-02-25 Lapointe; Brian K. Computer security system
US7010809B2 (en) * 2001-03-13 2006-03-07 Sanyo Electric Co., Ltd. Reproduction device stopping reproduction of encrypted content data having encrypted region shorter than predetermined length
US20080155267A1 (en) * 2006-12-24 2008-06-26 Zeev Lieber Identity management system with an untrusted identity provider
US8631475B1 (en) * 2011-12-21 2014-01-14 Emc Corporation Ordering inputs for order dependent processing
US8966271B2 (en) * 1997-02-03 2015-02-24 Certicom Corp. Data card verification system
WO2017141399A1 (en) 2016-02-18 2017-08-24 株式会社日立製作所 Data processing system
US10374799B2 (en) * 2011-04-13 2019-08-06 Nokia Technologies Oy Method and apparatus for identity based ticketing
US10615959B2 (en) * 2015-07-22 2020-04-07 Megachips Corporation Memory device, host device, and memory system
US10666523B2 (en) * 2007-06-12 2020-05-26 Icontrol Networks, Inc. Communication protocols in integrated systems
US11146637B2 (en) * 2014-03-03 2021-10-12 Icontrol Networks, Inc. Media content management

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4146252B2 (en) * 2003-01-24 2008-09-10 日本電信電話株式会社 Anonymous communication method capable of identifying unauthorized persons, user device used in the method, and relay server device
JP4233437B2 (en) * 2003-11-27 2009-03-04 富士通株式会社 Anonymous data transmission method, anonymous data relay method, anonymous data transmission device, anonymous data relay device, anonymous data transmission program, and anonymous data relay program
JP5519600B2 (en) * 2011-08-18 2014-06-11 株式会社コナミデジタルエンタテインメント Game terminal, game system, and program

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5606615A (en) * 1995-05-16 1997-02-25 Lapointe; Brian K. Computer security system
US8966271B2 (en) * 1997-02-03 2015-02-24 Certicom Corp. Data card verification system
US7010809B2 (en) * 2001-03-13 2006-03-07 Sanyo Electric Co., Ltd. Reproduction device stopping reproduction of encrypted content data having encrypted region shorter than predetermined length
US20080155267A1 (en) * 2006-12-24 2008-06-26 Zeev Lieber Identity management system with an untrusted identity provider
US10666523B2 (en) * 2007-06-12 2020-05-26 Icontrol Networks, Inc. Communication protocols in integrated systems
US10374799B2 (en) * 2011-04-13 2019-08-06 Nokia Technologies Oy Method and apparatus for identity based ticketing
US8631475B1 (en) * 2011-12-21 2014-01-14 Emc Corporation Ordering inputs for order dependent processing
US11146637B2 (en) * 2014-03-03 2021-10-12 Icontrol Networks, Inc. Media content management
US10615959B2 (en) * 2015-07-22 2020-04-07 Megachips Corporation Memory device, host device, and memory system
WO2017141399A1 (en) 2016-02-18 2017-08-24 株式会社日立製作所 Data processing system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
International Search Report dated Apr. 16, 2019 in PCT/JP2019/001097 filed on Jan. 16, 2019.
Japanese Office Action dated Jun. 23, 2020 in Japanese Patent Application No. 2018-006172 filed on Jan. 18, 2018 (with English language translation), citing above document AO there in.
Tyagi et al., "Stadium: A Distributed Metadata-Private Messaging System," SOSP '17, Oct. 2017 (total 26 pages).

Also Published As

Publication number Publication date
JP2019125957A (en) 2019-07-25
WO2019142824A1 (en) 2019-07-25
US20210126906A1 (en) 2021-04-29
JP6842090B2 (en) 2021-03-17

Similar Documents

Publication Publication Date Title
US11206132B2 (en) Multiparty secure computing method, device, and electronic device
CN105610793B (en) A kind of outsourcing data encryption storage and cryptogram search system and its application process
EP3058678B1 (en) System and method for dynamic, non-interactive, and parallelizable searchable symmetric encryption
Borisov et al. DP5: A private presence service
US9485096B2 (en) Encryption / decryption of data with non-persistent, non-shared passkey
US20190140819A1 (en) System and method for mekle puzzles symeteric key establishment and generation of lamport merkle signatures
US20220337428A1 (en) Anonymous broadcast method, key exchange method, anonymous broadcast system, key exchange system, communication device, and program
Kolesnikov et al. On the limits of privacy provided by order-preserving encryption
US11677543B2 (en) Key exchange method and key exchange system
JP2016158189A (en) Change direction with key control system and change direction with key control method
JP2014175970A (en) Information distribution system, information processing device, and program
EP3309995B1 (en) Key exchange method, key exchange system, key distribution device, communication device, and program
CN107070900B (en) It can search for re-encryption method based on what is obscured
US11451518B2 (en) Communication device, server device, concealed communication system, methods for the same, and program
US10050943B2 (en) Widely distributed parameterization
JP6840685B2 (en) Data sharing method, data sharing system, communication terminal, data sharing server, program
Mahmoud et al. Encryption based on multilevel security for relational database EBMSR
Rahman et al. Implementation of a conditional searchable encryption system for data storage
KR20180046720A (en) Apparatus and method for generating key, apparatus and method for encryption
Feng et al. Secure Sharing of Private Locations through Homomorphic Bloom Filters
Sohana et al. Agent command manipulation system using two keys encryption model
Danezis et al. DP5: a private presence service
Gayathri et al. Revocable Data Access Control for Secure Data Sharing In Cloud
CN116305236A (en) Shared file encryption and decryption method and device and electronic equipment
Dai et al. Access Control Enforcement Based on Proxy Re-encryption in Data Outsourcing Environment

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: NIPPON TELEGRAPH AND TELEPHONE CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KOBAYASHI, TETSUTARO;KAWAHARA, YUTO;FUJI, HITOSHI;AND OTHERS;SIGNING DATES FROM 20200602 TO 20200820;REEL/FRAME:053706/0380

STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE